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Abstract 



q 

t~| . This paper is a guide for the pure mathematician who would hke 

I to know more about cryptography based on group theory. The paper 

gives a brief overview of the subject, and provides pointers to good 
textbooks, key research papers and recent survey papers in the area. 

(N ' 

>■ : 1 Introduction 

in 

ly-^ ! In the last few years, many papers have proposed cryptosystems based on 

I group theoretic concepts. Notes from a recent advanced course on the sub- 

\^ ■ ject by Myasnikov, Shpilrain and Ushakov have recently been published as a 

, monograph [66], and a textbook (with a rather different focus) by Gonzalez 

^ I Vasco, Magliveras and Steinwandt [34] is promised in 2010. Group-based 

cryptosystems have not yet led to practical schemes to rival RSA and Diffie- 
Hellman, but the ideas are interesting and the different perspective leads to 
r> I some worthwhile group theory. The cryptographic literature is vast and di- 

■ verse, and it is difficult for a newcomer to the area to find the right sources 

to learn from. (For example, there are many introductory textbooks aimed 
at the mathematical audience that introduce RSA. How many of these text- 
books hint that the basic RSA scheme is insecure if refinements such as mes- 
sage padding are not used? For a discussion of these issues, see Smart [SI] 
Chapters 17,18 and 20], for example.) Our paper will provide some pointers 
to some sources that, in our opinion, provide a good preparation for reading 
the literature on group-based cryptography; the paper will also provide a 
high level overview of the subject. We are assuming that our reader al- 
ready has a good knowledge of group theory, and a passing acquaintance 
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with cryptography: the RSA and Diffie-Henman schemes have been met 
before, and the difference between a pubhc key and a symmetric key cipher 
is known. 

The remainder of the paper is structured as fohows. In Section [2] we re- 
view some of the basic concepts of cryptography we will need. In Section [3] 
we introduce some of the most widely studied schemes in group-based cryp- 
tography, and in Section H] we sketch attacks on these schemes. In all these 
sections, we cite references that provide more details. Finally, in Section [5l 
we touch on some related areas and give suggestions as to where to search 
for current papers and preprints in the subject. 

2 Cryptography Basics 

There are innumerable books on cryptography that are written for a popular 
audience: they almost always take a historical approach to the subject. For 
those looking for a definitive historical reference book, we would recommend 
Kahn [46j for an encyclopedic and beautifully written account. 

Technical introductions to the area written for a mathematical audience 
tend to concentrate (understandably, but regrettably from the perspective 
of a cryptographer) on the areas of cryptography that have the most math- 
ematical content. Stinson |85] is a well- written introduction that avoids this 
pitfall. Another good reference is Smart [81], which has the advantage of 
being available online for free. Once these basics are known, we suggest 
reading a book that looks at cryptography from the perspective of theoreti- 
cal computer science and complexity theory: Katz and Lindell j49j is a book 
we very much enjoy. The theoretical computer science approach has had 
a major influence on the field, but is not without its controversial aspects: 
see Koblitz [52] and responses by Goldreich and others (33j . For readers 
who insist on falling into the mathematical pit mentioned above, the book 
by Washington [90] on cryptography using elliptic curves is an excellent 
follow-up read; elliptic curve based cryptography is becoming the norm for 
the current generation of public key cryptosystems. As we are writing for a 
mathematical audience, we also consciously aim to fall into this pit. 

A standard model for a cryptographic scheme is phrased as two parties, 
Alice and Bob, who wish to communicate securely over an insecure channel 
(such as a wireless link, or a conventional phone line). If Alice and Bob 
possess information in common that only they know (a shared secret key) 
they can use this, together with a symmetric key cipher such as AES (the 
Advanced Encryption Standard), to communicate. If Alice and Bob do not 
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possess a secret key, they execute a protocol such as the Diffie-Hehman key 
agreement protocol to create one, or use a public key cryptosystem such as 
RSA or ElGamal that does not need a secret key. Many of the schemes 
we discuss are related to the Diffie-Hellman protocol, so we give a brief 
description of this protocol as a reminder to the reader. 

DifRe Hellman Key Agreement Protocol [26]. Let G be a cyclic 
group, and g a generator of G, where both g and its order d are publicly 
known. If Alice and Bob wish to create a shared key, they can proceed as 
follows: 

1. Alice selects uniformly at random an integer a € [2,d — 1], computes 
g"", and sends it to Bob. 

2. Bob selects uniformly at random an integer 6 G [2, d — 1], computes 
g^, and sends it to Alice. 

3. Alice computes ka = {g^Y, while Bob computes k^^ = {g"")^ ■ 

4. The shared key is thus k = ka = kb € G. 

The security of the scheme relies on the assumption that, knowing g & G 
and having observed both g"" and g^, it is computationally infeasible for an 
adversary to obtain the shared key. This is known as the DifRe— Hellman 
Problem (DHP). The Diffie-Hellman problem is related to a better known 
problem, the Discrete Logarithm Problem: 

Discrete Logarithm Problem (DLP). Let G be a cyclic group, and 
g a generator of G. Given h G G, find an integer t such that g^ = h. 

Clearly, if the DLP is easy then so is the DHP and thus the Diffie- 
Hellman key agreement protocol is insecure. So, as a minimum requirement, 
we are interested in finding difficult instances of the DLP. It is clear that 
difficulty of the DLP depends heavily on the way the group G is represented, 
not just on the isomorphism class of G. For example, the DLP is trivial if 
G = Z/dZ is the additive group generated by 5 = 1. However, if G is an 
appropriately chosen group of large size, the DLP is considered computa- 
tionally infeasible. In practice, one often uses G = F*, (for appropriately 
selected prime p and exponent or the group of points of a properly chosen 
elliptic curve over a finite field. 

Turning from the Diffie-Hellman scheme to the more general model, 
there are two points we would like to emphasise: 
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• Alice and Bob are computers. So our aim is to create a proto- 
col that is well-specified enough to be implemented. In particular, a 
well specified scheme must describe how group elements are stored and 
manipulated; the scheme's description must include an algorithm to 
generate any system-wide parameters; it must be clear how any ran- 
dom choices are made. (This last point is especially critical if we are 
choosing elements from an infinite set, such as a free group!) More- 
over, the protocol should be efficient; the computational time required 
to execute the protocol is critical, but so are: the number of bits that 
need to be exchanged between Alice and Bob; the number of passes 
(exchanges of information) that are needed in the protocol; the sizes 
of keys; the sizes of system parameters. 

• Security is a very subtle notion. For the last 100 years, it has 
become standard for cryptographers to assume that any eavesdropper 
knows everything about the system that is being used apart from se- 
cret keys and the random choices made by individual parties. (Claude 
Shannon [78\ Page 662] phrased this as 'The enemy knows the sys- 
tem being used'; the phrase 'The enemy knows the system' is known 
as Shannon's maxim.). But modern security is often much more de- 
manding. For example, in the commonly studied IND-CCA2 model, 
we require that an eavesdropper cannot feasibly guess (with success 
probability significantly greater than 0.5) which of two messages has 
been encrypted, when they are presented with a single challenge ci- 
phertext that is an encryption of one of the messages. This should 
even be true when the eavesdropper can choose the two messages, and 
is allowed to request the decryption of any ciphertext not equal to the 
challenge ciphertext. Note that cryptographers are usually interested 
in the complexity in the generic case (in other words, what happens 
most of the time). Worst case security estimates might not be useful 
in practice, as the worst case might be very rare; even average case 
estimates might be unduly distorted by rare but complicated events. 
See Myasnikov et al. |66) for a convincing argument on this point in 
the context of group-based cryptography. 

We end the section by making the point that modern cryptography is 
much broader than the traditional two party communication model we have 
discussed here: there is a thriving community developing the theory of multi- 
party communication, using such beautiful concepts as zero knowledge. See 
Stinson [85^ Chapter 13] for an introduction to zero knowledge, and see the 
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links from Helger Lipmaa's page ^58j for some of the important papers on 
multi-party computation. 

3 Cryptography Using Groups 

This section will discuss several ways in which group theory can be used 
to construct variants of the Diffie-Hellman key agreement protocol. Since 
the protocol uses a cyclic subgroup of a finite group G, one approach is 
to search for examples of groups that can be efficiently represented and 
manipulated, and that possess cyclic subgroups with a DLP that seems 
hard. Various authors have suggested using a cyclic subgroup of a matrix 
group in this context, but some basic linear algebra shows that this approach 
is not very useful: the DLP is no harder than the case when G is the 
multiplicative group of a finite field; see Menezes and Vanstone [M] for more 
details. Biggs [6j has proposed representing an abelian group as a critical 
group of a finite graph; but Blackburn [11] has shown that this proposal is 
insecure. An approach (from number theory rather than group theory) that 
has had more success is to consider the group of points on an elliptic curve, 
or Jacobians of hyperelliptic curves. See Galbraith and Menezes [27] for a 
survey of this area. 

All the proposals discussed above use representations of abelian (indeed, 
cyclic) groups. What about non-abelian groups? The first proposal to use 
non-abelian groups that we are aware of is due to Wagner and Magyarik [89] 
in 1985. (See Gonzalez Vasco and Steinwandt [36] for an attack on this 
proposal; see Levy-dit-Vehel and Ferret [561 EZ] for more recent related 
work.) But interest in the field increased with two high-profile proposals 
approximately ten years ago. We now describe these proposals. 

3.1 Conjugacy and exponentiation 

Let G be a non-abelian group. For g,x € G we write for x~^gx, the 
conjugate of g by x. The notation suggests that conjugation might be used 
instead of exponentiation in cryptographic contexts. So we can define an 
analogue to the discrete logarithm problem: 

Conjugacy Search Problem. Let G be a non-abelian group. Let 
5, /i G G be such that h = g^ for some x (z G. Given the elements g and h, 
find an element y (z G such that h = g^ . 

Assuming that we can find a group where the conjugacy search problem 
is hard (and assuming the elements of this group are easy to store and ma- 
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nipulate) , one can define cryptosystems that are analogues of cryptosystems 
based on the discrete logarithm problem. Ko et al. proposed the following 
analogue of the Diffie-Hellman key agreement protocol. 

Ko Lee— Cheon Han Kang Park Key Agreement Protocol [51j. 

Let G be a non-abelian group, and let 17 be a publicly known element of G. 
Let A,B be commuting subgroups of G, so [a, 6] = 1 for all a G yl, 6 G B. 
If Alice and Bob wish to create a common secret key, they can proceed as 
follows: 

1. Alice selects at random an element a G j4, computes g"" = a~^ga, and 
sends it to Bob. 

2. Bob selects at random an element b £ B, computes g'^ = b~^gb, and 
sends it to Alice. 

3. Alice computes ka = {g^Y, while Bob computes = {g"")^ ■ 

4. Since ab = ba, we have ka = kj,, as group elements (though their 
representations might be different). For many groups, we can use ka 
and kb to compute a secret key. For example, if G has an efficient 
algorithm to compute a normal form for a group element, the secret 
key k could be the normal form of ka and kb- 

The interest in the paper of Ko et al. centred on their proposal for 
a concrete candidate for G and the subgroups A and B, as follows. We take 
G to be the braid group Bn on n strings (see Artin [3], for example) which 
has presentation 

/ (Tiajai = ajaiOj for \i - j\ = I \ 

-D„ = ( (Tl,CJ2, . . . r \- M^o /• 

Let / and r be integers such that I + r = n. Then we take 

A= ((Ti,o-2,...,cri_i) and 

B = ((7/+i,(T/+2, • • • ,(^l+r-l) ■ 

The braid group is an attractive choice for the underlying group (a so- 
called 'platform group') in the Ko et al. key agreement protocol: there is an 
efficient normal form for an element; group multiplication and inversion can 
be carried out efficiently; the conjugacy problem looks hard for braid groups. 
Note that we have not specified the cryptosystem precisely. Of course, we 
have not chosen the values of n, I and r. But we have also not specified how 
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to choose the element g & G {it emerges that this choice is critical). Finally, 
since the subgroups A and B are infinite, it is not obvious how the elements 
a £ A and h £ B should be chosen. 

3.2 Computing a common commutator 

The following beautiful key agreement protocol, due to Anshel, Anshel and 
Goldfeld [U, has an advantage over the Ko et al. protocol: commuting sub- 
groups A and B are not needed. 

Anshel Anshel Goldfeld Key Agreement Protocol [T| . Let G be 

a non-abelian group, and let elements ai, . . . , a^, 61, . . . , 6^ G G be public. 

1. Alice picks a private word x in ai, . . . , and sends 6f , . . . , 6^ to Bob. 

2. Bob picks a private word y in 61, . . . , and sends 05', . . . , to Alice. 

3. Alice computes x"^ and Bob computes y^. 

4. The secret key is = x^^y^^xy. 

Note that Alice and Bob can both compute the secret commutator: Alice 
can premultiply x^ by x~^ and Bob can premultiply by y~^ and then 
compute the inverse: [x,y] = {y^^y^) 

The Anshel et al. protocol is far from well specified as it stands. In par- 
ticular, we have said nothing about our choice of platform group G. Like Ko 
et al., Anshel et al. proposed using braid groups because of the existence of 
efficient normal forms for group elements and because the conjugacy search 
problem seems hard. See Myasnikov et al. [661, Chapter 5] for a discussion 
of some of the properties a platform group should have; they discuss the 
possibilities of using the following groups as platform groups: Thompson's 
group F, matrix groups, small cancellation groups, solvable groups, Artin 
groups and Grigorchuck's group. 

3.3 Replacing conjugation 

The Ko et al. scheme used conjugation in place of exponentiation in the 
Diffie-Hellman protocol, but there are many other alternatives. For exam- 
ple, we could define g°- = (l){a)ga and y'' = cl)'{b)gb for any fixed functions 
(f) : A ^ A and (p' : B ^ B (including the identity maps) and the scheme 
would work just as well. More generally, we may replace o and 0(a) by 
unrelated elements from A: there are protocols based on the difficulty of the 
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decomposition problem, namely the problem of finding ai,a2 A such that 
h = aiga2 where g and h are known. See Myasnikov et al. Chapter 4] for 
a discussion of these and similar protocols; one proposal we find especially 
interesting is the Algebraic Eraser [2ii48j. As an example of such a protocol, 
we briefly describe a scheme due to Stickel. 

The Stickel Key Agreement Protocol [84]. Let G = GL(n,Fg), 
and let g G G. Let a, b be elements of G of order Ua and Ub respectively, 
and suppose that ab ^ ba. The group G and the elements a, b are publicly 
known. If Alice and Bob wish to create a shared key, they can proceed as 
follows: 

1. Alice chooses integers I, m uniformly at random, where < / < 
and < m < n^. She sends u = a^gb"^ to Bob. 

2. Bob chooses integers r, s uniformly at random, where < r < Ua and 
< s < rif,. He sends v = a'^gb^ to Alice. 

3. Alice computes ka = a^vb"^ = a}'~^^ gb^'^'^ . Bob computes kh = aTuV = 

4. The shared key is thus k = ka = kb- 
3.4 Logarithmic signatures 

There is an alternative approach to generalising the Diffie-Hellman scheme: 
to find a more direct generalisation of the DLP for groups that are not 
necessarily abelian. 

Let G be a finite group, C G a subset of G and s a positive integer. 
For all 1 < i < s, let Ai = [ o-ii, . . . , OjrJ be a finite sequence of elements of 
G of length rj > 1, and let a = [Ai, . . . , Ag] be the ordered sequence of Ai. 
We say that a is a cover for S if any h ^ S can be written as a product 
h = hi - ■ ■ hs, where hi = Oik^ € Ai. If such a decomposition is unique for 
every g S, then a is said to be a logarithmic signature for S. One natural 
way to construct a logarithmic signature for a group G is to take a subgroup 
chain 

1 = Go < Gi < • • • < Gn = G, 

and let Ai be a complete set of coset representatives for Gj_i in Gj. Then 
a = [Al, . . . , An] is a logarithmic signature (a so called transversal logarith- 
mic signature) for G. 

Given an element h G S and a cover a of S, obtaining a factorisation 

h = aifci • • • asks (1) 
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associated with a could well be a hard problem in general. Indeed, in some 
situations the problem is a Discrete Logarithm Problem. For example, let 
G be generated by an element g of large order, and define ^j+i = [1,(7^']. 
Let 5'={5(°|0<a<2*}. Then the ith bit of the discrete logarithm of 
h & S is equal to 1 if and only if /jj = 2 in the factorisation ([T]). 

Though there are connections with the DLP, logarithmic signatures can- 
not be directly used in discrete logarithm based protocols, as there is no 
analogue of exponentiation. They were first used by Magliveras [59] to con- 
struct a symmetric cipher known as Permutation Group Mappings (PGM). 
The ideas behind PGM have inspired several public key cryptosystems based 
on logarithmic signatures. Qu and Vanstone [76] proposed a scheme (Finite 
Group Mappings, or FGM) based on transversal logarithmic signatures in 
elementary abelian 2-groups. Magliveras, Stinson and van Trung [62] devel- 
oped two interesting schemes based on finite permutation groups, MSTi and 
MST2- More recently, a public key cryptosystem based on Suzuki 2-groups 
(known as MST^) has been proposed by Lempken et al. {55]. 

3.5 Symmetric schemes 

Group theory has mainly been used in proposals of public key cryptosystems 
and key exchange schemes, but has also been used in symmetric cryptogra- 
phy. We have already mentioned the block cipher PGM [59]. This cipher 
satisfies some nice algebraic and statistical properties (such as robustness, 
scalability and a large key space; see [61]). However, fast implementation 
becomes an issue, making it a rather inefficient cipher compared with more 
traditional block ciphers. (An attempt was made to improve PGM by let- 
ting the platform group be a 2- group, but again speed remains an issue [17j.) 
This subsection contains two more examples of group theory being used in 
symmetric cryptography. 

A block cipher such as DES [70] or AES [73] can be regarded as a set 
S of permutations on the set of all possible blocks, indexed by the key. 
The question as to whether S is in fact a group has an impact on the ci- 
pher's security in some situations: if the set was a group, then encrypting 
a message twice over using the cipher with different keys would be no more 
secure than a single encryption. Other properties of the group generated 
by S are also of interest cryptographically [H] and attacks have been pro- 
posed against ciphers that do not satisfy some of these properties [171 ES] 
(though good group theoretic properties are not sufficient to guarantee a 
strong cipher [65j). We note however that computing the group generated 
by a block cipher is often very difficult. For instance, it is known that the 
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group generated by the DES block cipher is a subgroup of the alternating 
group ^264 |91) . with order greater than 2^^ (and thus S for DES is not a 
group [161 124j ): however little more is known about its structure. 

Block ciphers themselves are often built as iterated constructions of sim- 
pler key-dependent permutations known as round functions, and one can 
study properties of the permutation groups generated by these round func- 
tions. It has been shown, for instance, that the round functions of both DES 
and AES block ciphers are even permutations; furthermore it can be shown 
that these generate the alternating group ^4264 and ^2128, respectively. See 
[H [201 [821 EH [92]. 

Hash function design is a second area of symmetric cryptography where 
groups have been used in an interesting way. Recall [: 85. Chapter 7] that 
a hash function H is a function from the set of finite binary strings to a 
fixed finite set X. It should be easy to compute H{x) for any fixed string 
X, but it should be computationally infeasible to find two strings x and x' 
such that H{x) = H(x'). Hash functions are a vital component of many 
cryptographic protocols, but their design is still not well understood. The 
most widely used example of a hash function is SHA-1 (where SHA stands 
for Secure Hash Algorithm). See |71j for a description of this hash function. 
Security flaws have been found in SHA-1 [86j; the more recent SHA-2 family 
of hash functions |72) are now recommended. Zemor |93] proposed using 
walks through Cayley graphs as a basis for hash functions; the most well- 
known concrete proposal from this idea is a hash function of Tillich and 
Zemor [87j. We think this hash function deserves further study, despite 
a recent (and very beautiful) cryptanalysis due to Grassl et al. [38]: see 
Steinwandt et al. f83] and the references there for comments on the security 
of this hash function, and see Tillich and Zemor [88J for some more recent 
literature. 

4 Cryptanalysis 

In this section, we briefly outline some techniques that have been developed 
to demonstrate the insecurity of group-based schemes. 

4.1 Analysis of braid based schemes 

We begin with braid-based schemes. The interested reader is referred to the 
comprehensive survey articles by Dehornoy |25) and Garber [28]. 

In 1969, Garside [30] gave the first algorithm to solve the conjugacy 
problem in the braid group Bn- (The conjugacy problem asks whether two 
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braids, in other words two elements of the braid group, are conjugate.) The 
question of efficiency of Garside's method lay dormant until the late 1980's. 
Since then there has been a great deal of research, significantly motivated 
by cryptographic applications, into finding a polynomial time solution to 
the conjugacy problem. Given two braids x,y G Garside's idea was to 
construct finite subsets (so called summit sets) Ix,Iy of Bn such that x is 
conjugate to y if and only if = ly. An efficient solution to the conjugacy 
problem via this method would yield an efficient solution to the conjugacy 
search problem (and hence render the braid based protocol of Ko et al. 
theoretically insecure). However, for a given braid x, Garside's summit set 
Ix may be exponentially large. The challenge has thus been to prove a 
polynomial bound on the size of a suitable invariant set associated with any 
given conjugacy class. Refinements to the summit set method (such as the 
super summit set, ultra summit set, and reduced super summit set methods) 
have been made over the years, but a polynomial bound remains elusive. 
Recent focus has been on an efficient solution to each of the three types 
of braids: periodic, reducible or pseudo-Anasov (according to the Nielsen- 
Thurston classification) ; see [TJ [U |9] . 

For the purposes of cryptography however, one need not efficiently solve 
the conjugacy problem in order to break a braid-based cryptosystem: one 
is free to use the specifics of the protocol being employed; any algorithm 
only needs to work for a significant proportion of cases; heuristic algorithms 
are quite acceptable. Indeed, Hofheinz and Steinwandt [39] used a heuristic 
algorithm to solve the conjugacy search problem with very high success rates: 
their attack is based on the observation that representatives of conjugate 
braids in the super summit set are likely to be conjugate by a permutation 
braid (a particularly simple braid). Their attack demonstrates an inherent 
weaknesses of both the Ko et al. protocol and the Anshel et al. protocol for 
random instances, under suggested parameters. (This has led researchers to 
study ways of generating keys more carefully, to try to avoid easy instances.) 
Around the same time, several other powerful lines of attack were discovered, 
and we now discuss some of the work that has been done; see Gilman et 
al. [31] for another discussion of these attacks. 

Length-based attacks Introduced by Hughes and Tannenbaum [43j . length- 
based attacks provide a neat probabilistic way of solving the conjugacy 
search problem in certain cases. Suppose we are given an instance of the 
conjugacy search problem in Bn- So we are given braids x and y~^xy, and 
we want to find y. Let / : B^ — > Z be a suitable length function on Bn 
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(for example, the length of the normal form of an element). If we can write 
y = y'ai for some where y' has a shorter length than y, then l{aiy~^xya^^) 
should be strictly smaller than l{ajy~^xya~ ) for j ^ i. So i can be guessed, 
and the attack repeated for a smaller instance y' of y. The success rate of 
this probabilistic attack depends on the specific length function employed. 
For braid groups, there are a number of suitable length functions that allow 
this attack to be mounted. We comment that length-based attacks need to 
be modified in practice, to ensure (for example) that we do not get stuck in 
short loops; see Garber et al. [29] and Ruinskiy et al. [77]. Garber et al. [29] 
and Myasnikov and Ushakov [67] contain convincing attacks on both the Ko 
et al. and Anshel et al. protocols using a length-based approach. 

Linear algebra attacks The idea behind this attack is quite simple: take 
a linear representation of the braid group and solve the conjugacy search 
problem using linear algebra in a matrix group. There are two well-known 
representations of the braid group: the Burau representation (unfaithful for 
n > 5) and the faithful Lawrence-Krammer representation. Hughes [42j and 
Lee and Lee [53] provide convincing attacks on the Anshel et al. protocol us- 
ing the Burau representation, and Cheon and Jun [23] provide a polynomial 
time algorithm to break the Ko et al. protocol using the Lawrence-Krammer 
representation. Budney [15] studies the relationship between conjugacy of 
elements in the braid group and conjugacy of their images in the unitary 
group under the Lawrence-Krammer representation. 

Other directions There have been many suggestions made to improve 
the security of schemes based on the above protocols. Themes range from 
changing the underlying problem (and instead investigating problems such 
as the decomposition problem, the braid root problem, the shifted conju- 
gacy problem and more) to changing the platform group (Thompson's group, 
polycyclic groups and others have been suggested). Furthermore, cryptog- 
raphers have created other cryptographic primitives based on the conjugacy 
search problem, for example authentication schemes and signature schemes. 
However, there are no known cryptographic primitives based on any of these 
ideas that convincingly survive the above sketched attacks. It seems to be 
the pattern that 'random' or 'generic' instances of either protocol lead to 
particularly simplified attacks. See the book by Myasnikov et al. |66] for 
more on this. 
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4.2 Stickel's scheme 

Stickel's scheme was successfully cryptanalysed by Shpilrain [50]. We include 
a brief description of this attack as it is particularly simple, and illustrates 
what can go wrong if care is not taken in protocol design. The attack 
works as follows. First note that an adversary need not recover any of the 
private exponents l,m,r,s in order to derive the key k. Instead, it suffices 
upon intercepting the transmitted messages u and v, to find n x n matrices 
x,y £ G such that 

xa = ax, yb = by, u = xgy. 

One can then compute 

xvy = xaJ' gb^y = aTxgyb^ = aJ'ub^ = k. 

It remains to solve these equations for x and y. The equations xa = ax 
and yb = by are linear, since a and b are known. The equation u = xgy is 
not linear, but since x is invertible we can rearrange: x~^u = gy, with g and 
u known. Since xa = ax if and only if x~^a = ax~^, we write xi = x~^ and 
instead solve the following matrix equations involving xi and y: 

xia = axi, yb = by, xiu = gy. 

Setting xi = gyu~^ we can eliminate xi to solve 

gyW^a = agyu'^, yb = by. 

Now only y is unknown and we have 2v? linear equations in variables: a 
heavily overdetermined system of linear equations, and an invertible matrix 
y will be easily found. Shpilrain's attack is specific to the platform group 
GL{n, ¥g). In particular, it uses the fact that x and u are invertible. Thus to 
thwart this attack, it makes sense to restrict the protocol to non-invertible 
matrices (since there is no inversion operation in the key setup). However, it 
is unclear whether or not this actually enhances the security of the protocol. 

4.3 Analysis of schemes based on logarithmic signatures 

How can secure logarithmic signatures be generated? The main problem 
with the overwhelming majority of schemes based on logarithmic signa- 
tures is a failure to specify how this should be done. (The Qu-Vanstone 
scheme [76] is well specified, but Blackburn, Murphy and Stern [13] showed 
this scheme is insecure.) Magliveras et al. [62] had the idea of restricting 
the logarithmic signature used in MSTi to be totally non-transversal, that 
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is a logarithmic signature a for a group G in which no block Ai of a is a 
coset of a non-trivial subgroup of G. However, this condition was shown to 
be insufficient by Bohli et al. [13], who constructed instances of totally non- 
transversal logarithmic signatures that were insecure when used in MSTi. 
Key generation is also a problem for MST^-, see [37] for a critique of this. 
As for MST^, this was recently cryptanalysed by the authors [12]. Thus it 
seems that a significant new idea in this area is needed to construct a secure 
public key cryptosystem from logarithmic signatures. 

5 Next Steps 

Despite ten years of strong interest in group-based cryptography, a well- 
studied candidate for a secure, well-specified and efficient cryptosystem is 
yet to emerge: schemes that are more 'number theoretic' (such as those 
based on the elliptic curve DLP) currently have so many advantages. This 
is a disappointment (for the group theorist). However, we do not want to 
be overly pessimistic: we hope that the reader is already convinced that the 
protocols of Ko et al. and of Anshel et al. are elegant ideas, just waiting for 
the right platform group. Can such a platform group be found? We need a 
candidate group whose elements can be manipulated and stored efficiently, 
and an associated problem that is hard in the overwhelming majority of 
instances. There has been a great deal of attention on infinite groups (such 
as braid groups) that can be defined combinatorially, but we feel that finite 
groups deserve a much closer study; many difficulties disappear when we use 
finite groups. Note that groups with small linear representations are often 
problematic, as linear algebra can be used to attack such groups; groups with 
many normal subgroups (such as p-groups, for example) are often vulnerable 
to attacks based on reducing a problem to smaller quotients; groups with 
permutation representations of low degree are vulnerable to attacks based on 
the well developed theory of computational permutation group theory. So 
great care must be taken in the choice of group, and the choice of supposedly 
hard problem. More generally, we can move beyond the Ko et al. and Anshel 
at al. schemes, and ask: 7s there a secure and efficient key exchange protocol 
based on group theoretic ideas? There are regular proposals, but the field is 
still waiting for a proposal that stands up to long-term scrutiny. 

We would like to point out that group-based cryptography motivates 
some beautiful and natural questions for the pure group theorist. Most ob- 
viously, the cryptosystems above motivate problems in computational group 
theory, especially combinatorial group theory. But we would like to highlight 
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two more problems as examples of the kind of questions that can arise. 

Generic properties The cryptosystems described in this survey require 
that elements and subgroups of a group G are generated at random. This 
needs to be defined precisely for this to make sense; one common method 
would be to select at random a sequence of integers {ai, a2, . . . , a^} of length 
/, and for each 1 < i < /, select at random a generator Xi of G. We then out- 
put the random element w = ■ ■ ■ x"' . Many cryptosystems run into 
problems because randomly generated sets of elements in the platform group 
behave in a straightforward way when / is large. This motivates the study 
of generic properties of groups, namely properties that hold with proba- 
bility tending to 1 as / — )> oo. For example, Myasnikov and Ushakov [68j 
have shown that pure braid groups PBn have the strong generic free group 
property: for any generating set of PBn, when any k elements are chosen 
at random as above they freely generate a free group of rank k generically. 
An interesting and natural open problem is: does the same property hold 
for the braid groups See Myasnikov et al. [66] for a discussion of this 
and related issues. 

Short logarithmic signatures Let G be a finite group of order 115=1 Pj^ ! 
with pj distinct primes. Let a = [Ai, . . . ,As] be a logarithmic signature for 
G, with j^jj = for 1 < i < s. Define the length of a to be l{a) := X^^^i r^. 
The length of a is an efficiency measure: it is the number of elements that 
must be stored in order to specify a typical logarithmic signature of this kind. 
Since |G| = ni=i''i' '^^ must have that l{a) > Yl]=i^jPj- ^ logarithmic 
signature achieving this bound is called a minimal logarithmic signature for 
G. An attractive open problem is: does every finite group have a minimal 
logarithmic signature? Now, if G has a normal subgroup with G/N = H 
and H and A^ both have minimal logarithmic signatures then G has a min- 
imal logarithmic signature. In particular, it is clear that any soluble group 
has a minimal logarithmic signature. Moreover, to answer the question in 
the affirmative it suffices to consider simple groups only. Minimal logarith- 
mic signatures have been found for An, PSL„(g), some sporadic groups and 
most simple groups of order up to 10^°; see [351 EH SOI IMl EQ] for further 
details. 

Why do we attempt to propose new cryptosystems, when elliptic curve 
DLP systems work well? A major motivation is the worry that a good algo- 
rithm could be found for the elliptic curve DLP. This worry has increased, 
and the search for alternative cryptosystems has become more urgent, with 
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the realisation that quantum computers can efficiently solve both the in- 
teger factorisation problem and the standard variants of the DLP [79]. If 
quantum computers of a practical size can be constructed, classical public 
key cryptography is in trouble. Cryptosystems, including group-based ex- 
amples, that are not necessarily vulnerable to the rise of quantum computers 
have become known as post-quantum cryptosystems. A well known example, 
invented well before quantum computers were considered, is the McEliece 
cryptosystem [63J based on the difficulty of decoding error correcting codes. 
Other examples include lattice-based cryptosystems (such as the GGH cryp- 
tosystem [32l |69] ) and cryptosystems based on large systems of multivariate 
polynomial equations (such as the HFE family of cryptosystems [50^ I74j). 
Though many of these cryptosystems suffer from having large public keys, 
they are often computationally efficient and so we feel that these schemes 
are more likely than group-based cryptosystems to produce protocols that 
will be used in practice. For a good and recent survey of the area, that in- 
cludes more details on all the cryptosystems mentioned above, see Bernstein 
et al. 0. 

We hope the reader is keen to learn more after finishing this introduc- 
tion. We recommend consulting the lACR Cryptology ePrint Archive [55| 
or Cornell University's arXiv |4| (especially the group theory and cryptog- 
raphy sections) for new papers; we currently find the ePrint archive the 
most reliable source of high quality cryptography. Boaz Tsaban's CGC 
Bulletin [21] provides regular updates on the main articles and events in 
the area. There are many conferences dealing with cryptographic issues, 
see [H] for a good list; those conferences sponsored by the lACR are re- 
garded in the field as being of top quality, though good conferences are not 
limited to lACR sponsored events. The Journal of Cryptology and IEEE 
Trans. Inform. Theory publish excellent papers in the area; Designs, Codes 
and Cryptography is a well-established source. New specialist journals that 
publish papers on group-based cryptography include the Journal of Mathe- 
matical Cryptology and Croups-Complexity- Cryptology. For information on 
group-based schemes based on combinatorial group theory in particular, we 
would encourage the reader to consult the textbook of Myasnikov et al. [6^ . 
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